As company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring?
WPA-EAP (Wi-Fi Protected Access - Extensible Authentication Protocol) is the best solution to prevent unauthorized devices from accessing the wireless network through brute force attacks on the PSK. WPA-EAP uses an Extensible Authentication Protocol framework that allows for more advanced authentication methods such as username and password, digital certificates, or token-based authentication, which are more secure than a simple Pre-Shared Key (PSK). This makes it significantly harder for unauthorized devices to gain access using brute force techniques. Other measures like WIDS can detect unauthorized access, but they are not primarily preventative in nature.
A WIDS would only be a detective control, not a preventative control as required by the question. Would B be a better answer here?
B WPA-EAP IS THE CORRECT ANSWER
The best option to prevent unauthorized devices from accessing the wireless network and to protect against brute force attacks on the wireless Pre-Shared Key (PSK) is to use a Wireless Intrusion Detection System (WIDS). A WIDS monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the network for suspicious activity, unauthorized access, and other security breaches. WPA-EAP (Wi-Fi Protected Access - Extensible Authentication Protocol) is also a good choice for securing wireless networks, but it's primarily used for enterprise networks where users authenticate with a username and password, not with a PSK.
By using WPA-EAP if would allow the use for an authenticator like RADIUS. This would allow users and roles/groups to be created so if someone did brute force into the network they would at minimum have additional steps to take to escalate privileges etc to wreak havoc in the system compared to a PSK. An IDS of any type only detects, it does not prevent.
B. WPA-EAP (Wi-Fi Protected Access - Extensible Authentication Protocol). WPA-EAP provides a stronger form of authentication compared to a simple Pre-Shared Key (PSK). It uses an Extensible Authentication Protocol (EAP) framework, which allows for more advanced authentication methods such as username and password, digital certificates, or token-based authentication. By requiring users to authenticate using stronger credentials, WPA-EAP makes it significantly more difficult for unauthorized devices to gain access to the wireless network through brute force attacks on the PSK. While options like BPDU guard (A), IP filtering (C), and a WIDS (Wireless Intrusion Detection System) (D) may provide additional security measures, implementing WPA-EAP is specifically targeted at strengthening authentication for wireless access, making it the most effective solution for preventing unauthorized access via brute force attacks on the PSK.
The WPA-EAP offers the potential for centralized authentication with the use of RADIUS server. This means that you don't have to worry about Pre Shared Key brute forcing. A WIDS on the other hand will only detect the unauthorized user but it won't stop him as we all know.
B. WPA-EAP It's not WIDS (Wireless Intrusion Detection System). A WIDS monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of the participating wireless devices. Rogue devices can spoof MAC address of an authorized network device as their own. New research uses fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices. I don't see anywhere in my research that a WIDS would detect a brute force password attack.
(WIDS) Wireless Intrusion Detection System Can it prevent the attack??? I do not think so. I think that B. WPA-EAP is correct.
WPA-EAP does not work with PSK, otherwise it would be WPA-PSK. Best answer is WIDS
B,i don't think D makes any sense
WIDS isn't on the exam objectives.
I take that back, it is. But its on the Acronym List. WTF.
Both WIDS and WPA-EAP can prevent bruteforce into the internal network, but in different ways. WIDS can detect and respond to bruteforce attempts, while WPA-EAP can prevent them from happening in the first place. So, since the question is to choose BEST one that can PREVENT, I am going with WPA-EAP.
Are u smart
Get rid of the risk, and move to something more secure
Initially I went with EAP as that would remove the key vulnerability, but that would require Radius and usernames. WIDS would also require new infrastructure, but would allow the same WiFi design and the admins should be able to detect the attempts before a script kiddie is successful. I could be convinced either way...
Nah I don’t think a detection system can prevent something.
I would of choose WPA-EAP